CN105610671A

CN105610671A - Terminal data protection method and device

Info

Publication number: CN105610671A
Application number: CN201610016234.4A
Authority: CN
Inventors: 张晨; 刘伟; 王力
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2016-01-11
Filing date: 2016-01-11
Publication date: 2016-05-25

Abstract

The invention discloses a terminal data protection method. The method comprises following steps: building a working area in a terminal for storing enterprise data; encrypting the data stored in the working area at the TF card of the terminal according to a preset encryption algorithm; when detecting a data access request, obtaining the identity authentication information of the data access request, wherein the identity authentication information comprises the device identification number of the terminal and the identifier of the TF card; and when judging that the identity authentication information is authentication success, receiving the data access request. In adoption of the method and the device of the invention the terminal data is protected.

Description

A kind of method of protecting terminal data and device

Technical field

The application belongs to Intelligent mobile equipment field, specifically, relates to a kind of method and device of protecting terminal data.

Background technology

Along with the maturation of intelligent terminal is with universal, progress into enterprise field taking mobile phone, panel computer as the individual intelligent terminal of representative. Numerous enterprises has started to support that employee uses enterprise application on individual mobile device, and employee uses individual intelligent terminal office to become a kind of trend that cannot reverse. The phenomenon that this class is called as BYOD (BringYourOwnDevice, from carrying device office) is that enterprise has brought brand-new opportunity. But opportunity is often accompanied by risk. Mobile device, because its portability is very easily lost, has 7,000 ten thousand mobile phones to lose every year, and wherein 60% mobile phone comprises sensitive information, and therefore enterprise's sensitive data of preserving in mobile device also faces the risk of divulging a secret. Varonis within 2013, issue about enterprise in the trend survey report of BYOD show, 50% the enterprise that is interviewed represents once to lose the equipment that stores enterprise-essential data, wherein 23% enterprise has met with data security accident. Device losses not only means the leakage of responsive business information, and the equipment of losing also may become the springboard of assault enterprise network. According to investigation, although 85% enterprise has taked secrecy provision, still have 23% enterprise that the leakage of a state or party secret occurred, employee's the approach of mainly divulging a secret except the leakage of taking pictures, be stored in mobile phone and then leaking, also have ex-employee to copy enterprise-essential information, thus the data of betraying. These behaviors of employee, cause enterprise-essential information be not intended to or have a mind to divulge a secret, and not only for enterprise brings property loss, affect the service operation of enterprise, have also brought the problems such as goodwill is impaired.

Therefore, a kind of method of protecting terminal data urgently proposes.

Summary of the invention

In view of this, technical problems to be solved in this application are to provide a kind of method and device of protecting terminal data.

The application has opened a kind of method of protecting terminal data, is positioned at hardware layer and carries out, and mainly comprises the steps:

In terminal, set up the workspace for storing business data;

Described workspace storage data are encrypted at the TF of described terminal card according to default AES;

In the time data access request being detected, obtain the authentication information of described data access request;

By certification, accept described data access request when judging described authentication information.

Wherein, according to default AES, storage data are encrypted, specifically comprise:

Select corresponding AES according to arranging of terminal use, the SDK that calls TF card is encrypted computing to the data of described terminal preservation.

Wherein, obtain the authentication information of described data access request, described authentication information comprises: the TF card mark of described terminal, SIM identify, device identification number and the network state of terminal.

Wherein, when the described authentication information of judgement is by certification, accept described data access request, further comprise:

In the time detecting that the calling party of call and called number are stored in the database of described workspace, described communication process is encrypted.

In the time detecting that the sender of note and addressee's telephone number are stored in the database of described workspace, obtain addressee's PKI and use TF card to be encrypted computing to plaintext short message content from Key Management server and obtain Encrypted short message, thereby obtain expressly note so that addressee is encrypted the decrypt operation of note in TF card by private key.

A method for protecting terminal data, is positioned at application layer and carries out, and further comprises:

System event to terminal is monitored, and judges whether described system event meets default workspace rule; Wherein, described system event comprises: call event and short message event;

In the time that described system event meets described workspace rule, in space, workspace, carry out the operation corresponding with described system event, by the data encryption corresponding with described operation and be stored in the database in space, described workspace.

Particularly, in the time judging that the calling party of described call or the sender of called number or note or addressee's telephone number are stored in the database in space, workspace, to described message registration or SMS encryption, this message registration or note are stored in the database in space, described workspace, and in the message registration of described terminal or short message record, this message registration or short message are deleted; Wherein, when described call event is when going electric event, in the incoming calls record of described terminal, this message registration is deleted; Call options interface is provided, selects, in the time that the calling party who sends a telegram here or called number are stored in the database in space, workspace, whether to delete the message registration of described terminal by user.

Particularly, provide Mail rule options interface, arrange and can only or use in workspace workspace to apply the Email Accounts receiving by user, and described Email Accounts is stored in the database in space, described workspace;

When judging that described system event is that the Email Accounts that receives mail and sender is while being stored in the database in space, workspace, the Email attachment of Mail Contents and download is encrypted, and the annex of the mail of Mail Contents and download is stored in the database in space, described workspace.

A method for protecting terminal data, is positioned at operating system layer and carries out, and further comprises:

Receive the installation request that the application program initiation of listing in list is freely installed for application, described application is freely installed list and is obtained from server;

When confirming to dispose application when blacklist, judge that application program to be installed whether in described application blacklist, if so, forbids the installation of described application program, otherwise, described application program is installed;

When confirming to dispose application when white list, judge that application program to be installed whether in described application white list, if so, installs described application program, otherwise, forbid the installation of described application software; Wherein, described application blacklist or application white list are configured by server.

Wherein, described described application program is installed, specifically comprises:

Download the installation kit of described application program from server according to described installation request; Revise the Manifest file of described installation kit, the entrance of application program is forced to change to workspace.

Wherein, while receiving the application blacklist of described server configuration, the title of the application program of listing in blacklist according to application and version number detect whether the application program of listing in described application blacklist is installed in individual district memory headroom, and send described application program for the application program detecting and forbid the warning information of installing;

While receiving the application white list of described server configuration, detect according to the title of the application program of listing in application white list and version number whether unlisted application program in described application white list is installed in individual district memory headroom; And send described application program for the application program detecting and forbid the warning information of installing.

Described method also comprises: in the installation kit of described application program, add unloading and monitor code, after device unloading corresponding to described data guard method, remove the data of the application program of described workspace internal object in order to described terminal monitoring.

Described method also comprises: in the installation kit of described application program, add and server communication code, in the time receiving the data dump order being sent by server end, remove the data of corresponding application program in described workspace in order to described terminal.

Described method also comprises: in the installation kit of described application program, add deciphering and encrypted code, in order to described terminal, the data of workspace read-write are encrypted and are deciphered.

Described method also comprises: in the installation kit of described application program, isolate code, in order to the unlatching behavior of application program in described terminal interception workspace, and unlatching request is sent to server, judged the opening ways of application program by server.

A method for protecting terminal data, is positioned at application layer and carries out, and described method further comprises:

The security policy information based on geographical position corresponding to described mobile terminal that reception server issues; Wherein, described security strategy comprises: within the scope of the geographic area of specifying, and at least one specific systemic-function in closing a terminal; Within the scope of the geographic area of specifying, forbid the start-up and operation of at least one specific application program in terminal.

Periodically check within the scope of the geographic area of self whether specifying in the described security policy information based on geographical position;

If, carry out described security strategy.

Wherein, when described security strategy is:

In the region of specifying, while forbidding the start-up and operation of at least one specific application program in terminal, described security strategy comprises: geographic region range information, the permission of appointment and do not allow the security class information of the application of start-up and operation; The described security strategy of described execution, specifically comprises:

Send private attribute information and the publicly-owned attribute information of the local all application of inquiry to server;

And search respectively corresponding security class information from the private attribute information of each application of getting and publicly-owned attribute information;

By the combination of the security class information in the each application private attribute information finding and publicly-owned attribute information, as the security class information of this application;

According to the security class information of each application, determine in described appointed area whether allow the start-up and operation of this application.

A method for protecting terminal data, is positioned at communication layers and carries out, and further comprises:

Adopt VPN to set up dedicated network, in the time that the application program of described workspace is carried out access to netwoks, the communication data between vpn server and mobile terminal is encrypted; And/or

In the time that the application program of described workspace is accessed outer net, the URL of described outer net is detected;

When judging that the URL of described outer net exists access risk, forbids application program access, and described outer net URL is added into Risk list for follow-up judgement.

The application has opened a kind of device of protecting terminal data, and described device is positioned at hardware layer, mainly comprises as lower module:

Set up module, for setting up the workspace for storing business data in terminal;

Encrypting module, for being encrypted described workspace storage data at the TF of described terminal card according to default AES;

Authentication module, in the time data access request being detected, obtains the authentication information of described data access request;

Access control module, for when the described authentication information of judgement is by certification, accepts described data access request.

Wherein, described encrypting module, specifically for: select corresponding AES according to arranging of terminal use, the SDK that calls TF card is encrypted computing to the data of described terminal preservation.

Described authentication information comprises: the TF card mark of described terminal, SIM identify, device identification number and the network state of terminal.

Described access control module is further used for: in the time detecting that the calling party of call and called number are stored in the database of described workspace, described communication process is encrypted.

Described access control module is further used for:

A device for protecting terminal data, described device is positioned at application layer, further comprises:

Monitoring modular, monitors for the system event to terminal, judges whether described system event meets default workspace rule; Wherein, described system event comprises: call event and short message event;

Executive Module when meet described workspace rule when described system event, is carried out the operation corresponding with described system event in space, workspace, by the data encryption corresponding with described operation and be stored in the database in space, described workspace.

Wherein, described Executive Module further comprises call and note Executive Module, and described call and note Executive Module are used for:

In the time judging that the calling party of described call or the sender of called number or note or addressee's telephone number are stored in the database in space, workspace, to described message registration or SMS encryption, this message registration or note are stored in the database in space, described workspace, and in the message registration of described terminal or short message record, this message registration or short message are deleted; Wherein, when described call event is when going electric event, in the incoming calls record of described terminal, this message registration is deleted; Call options interface is provided, selects, in the time that the calling party who sends a telegram here or called number are stored in the database in space, workspace, whether to delete the message registration of described terminal by user.

Wherein, described Executive Module further comprises user option module and mail Executive Module, described user option module is used for providing Mail rule options interface, arrange and can only or use in workspace workspace to apply the Email Accounts receiving by user, and described Email Accounts is stored in the database in space, described workspace;

Described mail Executive Module is for when judging that described system event is that reception mail and sender's Email Accounts is while being stored in the database in space, workspace, the Email attachment of Mail Contents and download is encrypted, and the annex of the mail of Mail Contents and download is stored in the database in space, described workspace.

A device for protecting terminal data, described device is positioned at operating system layer, further comprises:

Receiver module, for receiving the installation request that the application program initiation that list lists is freely installed for application, described application is freely installed list and is obtained from server;

First confirms module, for applying when blacklist when confirming to dispose, judges that application program to be installed whether in described application blacklist, if so, forbids the installation of described application program, otherwise, described application program is installed;

Second confirms module, for applying when white list when confirming to dispose, judges that application program to be installed whether in described application white list, if so, installs described application program, otherwise, forbid the installation of described application software; Wherein, described application blacklist or application white list are configured by server.

Described device further comprises installation module, described installation module specifically for:

Download the installation kit of described application program from server according to described installation request;

Revise the Manifest file of described installation kit, the entrance of application program is forced to change to workspace.

Particularly, first confirm module specifically for, in the time receiving the application blacklist of described server configuration, the title of the application program of listing in blacklist according to application and version number detect whether the application program of listing in described application blacklist is installed in individual district memory headroom, and send described application program for the application program detecting and forbid the warning information of installing;

Second confirm module specifically for, while receiving the application white list of described server configuration, detect according to the title of the application program of listing in application white list and version number whether unlisted application program in described application white list is installed in individual district memory headroom; And send described application program for the application program detecting and forbid the warning information of installing.

Wherein, described installation module specifically also for: add unloading at the installation kit of described application program and monitor code, after device unloading corresponding to described data guard method, remove the data of the application program of described workspace internal object in order to described terminal monitoring.

Wherein, described installation module specifically also for: add and server communication code at the installation kit of described application program, in the time receiving the data dump order being sent by server end, remove the data of corresponding application program in described workspace in order to described terminal.

Wherein, described installation module specifically also for: add deciphering and encrypted code at the installation kit of described application program, in order to described terminal, the data of workspace read-write be encrypted and deciphered.

Wherein, described installation module specifically also for: the installation kit in described application program is isolated code, in order to the unlatching behavior of application program in described terminal interception workspace, and unlatching request is sent to server, is judged the opening ways of application program by server.

The second receiver module, the security policy information based on geographical position corresponding to described mobile terminal issuing for reception server; Wherein, described security strategy comprises: within the scope of the geographic area of specifying, and at least one specific systemic-function in closing a terminal; Within the scope of the geographic area of specifying, forbid the start-up and operation of at least one specific application program in terminal.

Module is checked in geographical position, for periodically checking within the scope of the geographic area of self whether specifying in the described security policy information based on geographical position;

Security strategy Executive Module, when checking that when described geographical position module is determined within the scope of the geographic area of specifying in the described security policy information based on geographical position described mobile terminal, carries out described security strategy.

When described security strategy is: in the region of specifying, while forbidding the start-up and operation of at least one specific application program in terminal, described security strategy comprises: geographic region range information, the permission of appointment and do not allow the security class information of the application of start-up and operation;

The described security strategy of described execution, specifically comprises:

A device for protecting terminal data, described device is positioned at communication layers, further comprises:

Internet Transmission encrypting module, for adopting VPN to set up dedicated network, in the time that the application program of described workspace is carried out access to netwoks, is encrypted the communication data between vpn server and mobile terminal; And/or

Extranet access control module, in the time that the application program of described workspace is accessed outer net, detects the URL of described outer net;

The method of a kind of protecting terminal data that the embodiment of the present invention provides and device, by set up workspace in mobile terminal, data to workspace are encrypted protection, and realize the access control of data by data visitor is carried out to authentication, on hardware-level, ensure the safety of data; Meanwhile, at operating system layer, user only can freely install the application program of listing in list for application and initiate to install, and has ensured the security reliability in application program source; Initiate after the request of installing for application program to be installed, adopt application black and white lists mechanism to control, only allow the application program in application blacklist or the application program in application white list are not installed, and forbid the installation of other application programs, the risk of having avoided the business data on mobile terminal illegally to be uploaded, share and leak by malicious application, thus enterprise information security effectively protected; In application layer, the embodiment of the present invention can also realize when having that the mobile terminal Entry Firm of BYOD function need to be maintained secrecy and when the region of security control, be controlled by the security strategy of enterprise configuration, ensure the information security of enterprise, prevent from divulging a secret, the potential safety hazard of having avoided the unfixed feature of mobile terminal locations of the existing BYOD of possessing function to bring to enterprise; In communication layers, the embodiment of the present invention builds exclusive communication network by VPN and user's extranet access is controlled, and has realized the safe intercommunication of Inside and outside network data.

Brief description of the drawings

Accompanying drawing described herein is used to provide further understanding of the present application, forms the application's a part, and the application's schematic description and description is used for explaining the application, does not form the improper restriction to the application. In the accompanying drawings:

Fig. 1 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at the techniqueflow chart that hardware layer is carried out;

Fig. 2 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at the techniqueflow chart that application layer is carried out;

Fig. 3 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at the techniqueflow chart that operating system layer is carried out;

Fig. 4 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at the techniqueflow chart that operating system layer is carried out;

Fig. 5 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at another techniqueflow chart that application layer is carried out;

Fig. 6 is the apparatus structure schematic diagram of the device of a kind of protecting terminal data of the embodiment of the present invention.

Detailed description of the invention

In existing mobile device, great majority all support User Defined that screen locking mode and screen locking password are set, but user is hand steered standing when single-hand handling & mobile device on bus or subway, opening mobile device if want at screen lock state nowel starts some destination application or has received and do not connect message, want with singlehanded release and page turning find target AP P or find do not connect message notifying icon click check, very inconvenient, for this defect, the present invention proposes a kind of method that can quickly starting application program in the time of release, to coordinate drawings and Examples to describe the application's embodiment in detail below, by this application's implementation procedure how application technology means solve technical problem and reach technology effect can be fully understood and be implemented according to this.

Fig. 1 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at the techniqueflow chart that hardware layer is carried out, and in conjunction with Fig. 1, comprises the steps:

S101: set up the workspace for storing business data in terminal;

The database in space, workspace is the database independently arranging with respect to original database in mobile terminal or with respect to the database of various application in mobile terminal, for workspace storage data are used. Space, district is the resource (internal memory and storage card etc.) of mobile terminal and the logic operation space that user divides. Workspace rule can be keyword in contact person, note etc. Can be in the database in space, workspace, or in the storage device of mobile terminal, place the data that space, workspace adds, the data of encrypting can relate to the data in system file, or the selected financial sffairs paper of user, produce the data in file, sale file, market file, human resources file etc.; Significant data can also be the data of individual subscriber file, for example: photo, video, daily record etc.

S102: at the TF of described terminal card, described workspace storage data are encrypted according to default AES;

Concrete, select corresponding AES according to arranging of terminal use, the SDK (SDK) that calls TF card is encrypted computing to the data of described terminal preservation. In the embodiment of the present invention, TF card is equivalent to an arithmetic element, for doing the hardware support of data encryption. The data of workspace are put into TF card, and through after cryptographic calculation, the data of returning are the data of having encrypted.

Described AES can be symmetric cryptography, asymmetric cryptography, hash algorithm etc. The embodiment of the present invention does not limit to encrypt and uses which kind of AES, and the every algorithm that can realize embodiment of the present invention data encryption is all within the protection domain of the embodiment of the present invention.

S103: in the time data access request being detected, obtain the authentication information of described data access request;

Concrete, described authentication information comprises: the TF card mark of described terminal, SIM identify, device identification number and the network state of terminal.

Each TF is stuck in while dispatching from the factory, and producer all can be assigned to its a unique ID, i.e. described TF card mark. In the time carrying out data encryption computing, record is encrypted the ID of the TF card of computing. In the time having data access request, judge whether to match with pre-recorded ID by the TF card ID of identification equipment, if so, open data access.

It should be noted that, the authentication of the embodiment of the present invention, except TF card ID, is also aided with identifier, the SIM mark of mobile device. TF card mostly is external expansion card, a TF card goes for any equipment that comprises the draw-in groove matching, therefore, if be installed in another equipment for the TF card of data encryption, can not full confirmation be only same user identity by identification TF card ID, can cause like this leakage of confidential data. Therefore,, in the embodiment of the present invention, by the unique binding of identifier of equipment TF card ID and equipment, if TF card is used in other equipment, while carrying out data access, authentication failure, can not be encrypted the access of data.

Meanwhile, data protecting device needs constantly to carry out data interaction by network and server or accept the instruction that web end sends, and therefore, also needs the current network state of sense terminals in this step.

S104: when the described authentication information of judgement is by certification, accept described data access request.

In a kind of feasible embodiment, in the time that the data access in the present embodiment comprises that access workspace contact person converses, if detect when the calling party of call and called number are stored in the database of described workspace, described communication process be encrypted.

Concrete, in the present embodiment, can also there is following embodiment, web holds as console, increases secure communication switch in order to note safety and call safety are carried out to management and control in configuration file. Safety call letter switch acquiescence is closed (while closing, communication function is unrestricted), obtained as long as register secure communication can beat logical, no matter whether calling party or callee be in workspace contact person or contact person or dial input, as long as number registration mistake, can dial successfully.

Between a support performance district contact person, carry out safety call when whether increasing in web end configuration file, open safety call switch, the contact person in a support performance district carries out safety call in this case, and any one party all can not be dialed in the contact person of workspace.

In order to strengthen the call security management and control in the embodiment of the present application, in the present embodiment, can there is following embodiment, if pull out TF card/SIM after registration, in workspace, click to dial function ejects toast ' and encryption TF card/SIM do not detected, cannot use safety call ', do not allow to enter dialing interface; Clicking other dialing buttons points out too.

If call and pull out tf card, dropped calls in process; If pull out SIM, when inferior call can not be interrupted; Above situation, when safety call function after time end can not be used (can not dial and can not connect), if SIM and TF card turn back to, can continue to use;

If while carrying out authentication, what the SIM that discovery turns back to and TF card were bound before not being can not use safety call function; Terminal will be done following prompting: TF/SIM/TF and SIM and equipment, and it fails to match, cannot use safety call;

If mobile phone is networking no, in workspace, click to dial function is opened call interface, ejects dialog box prompting: " network does not connect, and cannot use safety call function ", click is called button and pointed out equally

There is no registration security call function if dial user, dialing interface plays frame prompting ' sorry, the user that you dial is unverified ' before ejecting;

Each user opens dial feature and asynchronous refresh contact person login states of contact person, and the icon of the contact person who authenticated in call record, contact person, note increases special marking;

In the situation that console restriction is conversed between can only workspace contact person, in note, the dialing green icon of nonclient area contact person's note record is put ash, and in ' click and preserve number ' floating layer, calls out associative operation and cancel; If there is nonclient area contact person in message registration, dialing button is put ash, clicks reactionless; Contact details page and note top are clicked contact person and are played the ip dialing in frame and call out pre-editing function and hide; In the contact details page manually adding, ' callings ' button is put ash and ' contact last time ' position replaces to ' nonclient area contact person forbids calling '.

The embodiment of the present application is in the feasible embodiment of another kind, in the time detecting that the sender of note and addressee's telephone number are stored in the database of described workspace, obtain addressee's PKI and use TF card to be encrypted computing to plaintext short message content from Key Management server and obtain Encrypted short message, thereby obtain expressly note so that addressee is encrypted the decrypt operation of note in TF card by private key.

It should be noted that, note safety and call security control in the embodiment of the present invention are used a secure communication switch. Between a support performance district contact person, carry out safe note when whether increasing in web end configuration file, open secure communication switch, the contact person in a support performance district carries out the transmitting-receiving of note in this case, and any one party all can not carried out short message receiving-transmitting in the contact person of workspace.

In the present embodiment, using hardware TF card as cryptographic calculation unit, realize access control thereby carry out authenticating user identification in conjunction with the device identification number of terminal and TF card mark, realized the encipherment protection of terminal data hardware-level.

Fig. 2 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at the techniqueflow chart that application layer is carried out, and in conjunction with Fig. 1, comprises the steps:

S201: the system event to terminal is monitored, judges whether described system event meets default workspace rule;

Wherein, described system event comprises: call event and short message event;

S202: in the time that described system event meets described workspace rule, carry out the operation corresponding with described system event in space, workspace, by the data encryption corresponding with described operation and be stored in the database in space, described workspace.

In the optional embodiment of one, in the time judging that the calling party of described call or the sender of called number or note or addressee's telephone number are stored in the database in space, workspace, to described message registration or SMS encryption, this message registration or note are stored in the database in space, described workspace, and in the message registration of described terminal or short message record, this message registration or short message are deleted; Wherein, when described call event is when going electric event, in the incoming calls record of described terminal, this message registration is deleted;

In the optional embodiment of one, call options interface is provided, select, in the time that the calling party who sends a telegram here or called number are stored in the database in space, workspace, whether to delete the message registration of described terminal by user.

In the optional embodiment of one, Mail rule options interface is provided, arrange and can only or use in workspace workspace to apply the Email Accounts receiving by user, and described Email Accounts is stored in the database in space, described workspace; When judging that described system event is that the Email Accounts that receives mail and sender is while being stored in the database in space, workspace, the Email attachment of Mail Contents and download is encrypted, and the annex of the mail of Mail Contents and download is stored in the database in space, described workspace.

In the optional embodiment of one, user enters workspace and carries out Related Work (enterprise) operation, for example edit schedule, send short messages, write mail, download form or take pictures etc., the data such as schedule, picture, mail, form, note are encrypted, and be stored in the database in space, workspace, public affairs, private data are isolated, by make other application in mobile terminal obtain data to data encrypting after, cannot use. In the time that user checks the data in the database that is stored in space, workspace; need to input password; in the time that mobile terminal is lost; because user is provided with the user cipher (this function can be arranged according to the custom of self, wish by user) of checking workspace data; as do not known, user cipher cannot check workspace data; or; can manage operated from a distance by business administration; call the workspace application in mobile terminal; delete the workspace data of storing in mobile terminal, can protect the safety of business data.

The present embodiment by setting up a safety, workspace independently on mobile terminal; by all operational datas; be that enterprise's application and data are stored in shielded place of safety; make individual application cannot access business data; avoid business data by individual application illegal access; realize the public and private isolation of terminal data; not only business data and personal data are isolated completely; make IT department can protect better application and the data of enterprise; also experience for employee provides indiscriminate individual application, reach the effect of dual-use.

Fig. 3 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at the techniqueflow chart that operating system layer is carried out, and in conjunction with Fig. 3, comprises the steps:

S301: receive the installation request that the application program initiation of listing in list is freely installed for application, described application is freely installed list and obtained from server;

In concrete enforcement, described installation request is that application that enterprise customer shows according to mobile terminal is freely installed list and selected to initiate after application program to be installed.

In concrete enforcement, in server, set up a private space, for storing the installation kit of the application program of uploading onto the server, in the embodiment of the present invention, this private space has been called to application library. On server, safeguard and have application management list, application management list comprises title and the version number of the application program that all installation kits have uploaded onto the server, can certainly comprise other information of this application program, such as uplink time, installation kit size, installation etc. Enterprise administrator can check, editing application managing listings, checks the statistical informations such as the installation of each application program.

Generally, the installation kit of application program is uploaded to server by user, in order to ensure the security reliability of the application program that uses on mobile terminal, server is before preserving the installation kit of application program, and the installation kit of application programs carries out virus to be detected and process. The installation kit of application programs is processed, thereby can prevent that application program from, by reverse key messages such as key code system that obtain easily, having increased the function of data encryption simultaneously to application program, increases safety coefficient.

Process and briefly explain to be embodied as the installation kit of routine application programs in Android (Android) system. It is exactly mainly the content that changes the class.dex file of application program that the installation kit of application programs is processed, its content is carried out to some algorithm for encryption, in the time that moving, goes again apk (AndroidPackage, Android installation kit) deciphering dynamically, also raw content; In amendment class.dex file, to ensure that it meets the intrinsic form of dex file. The installation kit of all application programs of uploading all detects and processes through virus, thereby stops that malice is distorted, the amendment of code injection, internal memory, steal the threat such as data, decompiling.

Concrete, server can also be divided into different user's groups according to department or function etc. by enterprise staff, and for organizing, each user formulates different application management strategies, for example, by the application program classified types in application library, for user's group of different departments or different functions issues the application program of particular type. By the block functions of server, the application program that can send out different to different user's components. Server can be according to the application management strategy of the application management list of self maintained and each user group, for each user organizes application corresponding to generation, list is freely installed, and each user is organized to corresponding application and list is freely installed is pushed in the terminal of each user in this user's group, application is freely installed list and is comprised that confession user organizes title and the version number of freely fitted application program. Terminal is freely installed list by application and is illustrated in the enterprise application market of workspace, freely selects to download and install for enterprise customer.

S302: when confirming to dispose application when blacklist, judge that application program to be installed whether in described application blacklist, if so, forbids the installation of described application program, otherwise, described application program is installed;

Concrete, while receiving the application blacklist of described server configuration, the title of the application program of listing in blacklist according to application and version number detect whether the application program of listing in described application blacklist is installed in individual district memory headroom, and send described application program for the application program detecting and forbid the warning information of installing;

S303: when confirming to dispose application when white list, judge that application program to be installed whether in described application white list, if so, installs described application program, otherwise, forbid the installation of described application software;

Wherein, described application blacklist or application white list are configured by server.

Concrete, while receiving the application white list of described server configuration, detect according to the title of the application program of listing in application white list and version number whether unlisted application program in described application white list is installed in individual district memory headroom; And send described application program for the application program detecting and forbid the warning information of installing.

In step S303, described application program is installed, further comprises following executive mode:

Download the installation kit of described application program according to described installation request from server, revise the Manifest file of described installation kit, the entrance of application program is forced to change to workspace. And/or,

In the installation kit of described application program, add unloading and monitor code, after device unloading corresponding to described data guard method, remove the data of the application program of described workspace internal object in order to described terminal monitoring. And/or,

In the installation kit of described application program, add and server communication code, in the time receiving the data dump order being sent by server end, remove the data of corresponding application program in described workspace in order to described terminal. And/or,

In the installation kit of described application program, add deciphering and encrypted code, in order to described terminal, the data of workspace read-write are encrypted and are deciphered. And/or,

In the installation kit of described application program, isolate code, in order to the unlatching behavior of application program in described terminal interception workspace, and unlatching request is sent to server, judged the opening ways of application program by server.

In the present embodiment, server pushes application to terminal list is freely installed, and user only can freely install the application program of listing in list for application and initiate to install, and has ensured that the safety in application program source is by property; Initiate after the request of installing for application program to be installed; adopt application black and white lists mechanism to control; only allow the application program in application blacklist or the application program in application white list are not installed; and forbid the installation of other application programs; the risk of having avoided the business data on mobile terminal illegally to be uploaded, share and leak by malicious application, thus enterprise information security effectively protected.

Fig. 4 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at the techniqueflow chart that operating system layer is carried out, and in conjunction with Fig. 4, the embodiment of the present invention also can have following embodiment:

S401: when detecting while having application install in described workspace, send the request of the list of checking application to server;

S402: under the described terminal that reception server issues, user place user organizes the list of corresponding application, and being shown to user in terminal works district, described user organizes the information of the application that comprises freely fitted application and solar obligation in the list of corresponding application;

S403: according to the information of the application of the solar obligation in the list of described application, the installation kit mourning in silence of downloading the application of described solar obligation is arranged in the workspace of terminal;

This step specifically comprises: according to mark and the download address of the installation kit of the application of each solar obligation in the list of described application, download corresponding installation kit;

Judge the current WIFI that whether connects; If so, use the power user root authority of extracting, mourn in silence and be arranged in the workspace of terminal.

S404: when receive that user sends request is freely installed time, according to the list of described application, the installation kit of downloading the freely fitted application of asking is also installed in the workspace of terminal.

This step specifically comprises: the list of the mark of the installation kit of specifying according to described request and the described application of preserving, and the download address of the installation kit of recording from the list of described application is downloaded described installation kit;

According to the mark of downloaded installation kit, calculate corresponding signed data according to described default AES, determine that whether the described signed data calculating is consistent with the signed data of this installation kit in the described list of preserving, if consistent, allow to install described installation kit; Otherwise, refuse the installation of described installation kit.

In the present embodiment, in the time having application to install in the workspace of terminal, while sending the request of the list of checking application to server, server is according to the user under described terminal, determine user's group that this user is affiliated, the list of this user being organized to corresponding application is issued to described terminal, described terminal on the one hand can be according to the information of the application of the solar obligation in the list of described application, the installation kit mourning in silence of downloading the application of described solar obligation is arranged in the workspace of mobile terminal, on the other hand can be according to user's needs, from this list, select freely fitted application program to install. in the scene of BYOD, ensureing under the prerequisite of enterprise information security, in mobile terminal workspace, realize the personalized application of different user selection has been installed.

Fig. 5 is that the method for a kind of protecting terminal data of the embodiment of the present invention is positioned at another techniqueflow chart that application layer is carried out, and in conjunction with Fig. 5, comprises the steps:

S501: the security policy information based on geographical position corresponding to described mobile terminal that reception server issues;

Wherein, described security strategy comprises:

Within the scope of the geographic area of specifying, at least one specific systemic-function in closing a terminal;

Within the scope of the geographic area of specifying, forbid the start-up and operation of at least one specific application program in terminal.

S502: periodically check within the scope of the geographic area of self whether specifying in the described security policy information based on geographical position;

If, perform step S503, if NO, perform step S502.

S503: carry out described security strategy.

In above-mentioned S501, described security policy information, specifically can comprise that two kinds of information below: the latitude and longitude information of geographic area scope and security strategy corresponding to this geographic area scope.

Further, when described security strategy is:

In the region of specifying, while forbidding the start-up and operation of at least one specific application program in terminal, described security strategy comprises: geographic region range information, the permission of appointment and do not allow the security class information of the application of start-up and operation;

The described security strategy of described execution, specifically comprises: the private attribute information from the local all application of inquiry to server and the publicly-owned attribute information that send; And search respectively corresponding security class information from the private attribute information of each application of getting and publicly-owned attribute information; By the combination of the security class information in the each application private attribute information finding and publicly-owned attribute information, as the security class information of this application; According to the security class information of each application, determine in described appointed area whether allow the start-up and operation of this application.

It is that enterprise need to maintain secrecy and when the region of security control that the present embodiment can be realized when having that the mobile terminal of BYOD function enters, be controlled by the security strategy of enterprise configuration, ensure the information security of enterprise, prevent from divulging a secret, the potential safety hazard of having avoided the unfixed feature of mobile terminal locations of the existing BYOD of possessing function to bring to enterprise.

Especially, the method for a kind of protecting terminal data of the embodiment of the present invention, is positioned at communication layers and carries out, and specifically comprises:

VPN has inherited network security technology, and combines the characteristic of Ipv6 of future generation, utilizes public network to set up interconnected virtual private passage by tunnel, certification, Access Control, data encryption technology, realizes the safety of the network interconnection, has guaranteed the security reliability of communication. VPN can provide high-caliber safety, uses senior encryption and Identity verification protocol protected data to avoid being spied upon, and stops data burglar to contact this data with other unauthorized users. It should be noted that; various embodiments of the present invention are respectively the optional implementation method at distinct device layer to a kind of terminal data protection method of the present invention; can individualism between between each embodiment, also can carry out different combinations, the embodiment of the present invention does not limit its combination. For example; in a kind of feasible embodiment; can carry out respectively the protection of terminal data in hardware layer, operating system layer, application layer and communication layers, in other embodiment of the application, also only certain one deck in above-mentioned four layers carries out the deployment of data protection.

In addition, the embodiment that Fig. 2 and Fig. 5 are corresponding is the optional implementation of the present invention in application layer, and these two kinds of modes can be used in combination, to realize application layer data protection. The embodiment that Fig. 3 and Fig. 4 are corresponding is the optional implementation of the present invention at operating system layer, these two kinds of modes can be used in combination, to realize data protection by operating system layer.

Fig. 6 is the apparatus structure schematic diagram of the device of a kind of protecting terminal data of the embodiment of the present invention, and in conjunction with Fig. 6, the embodiment of the present invention is positioned at hardware layer to be carried out, and comprises following module:

Set up module 611, for setting up the workspace for storing business data in terminal;

Encrypting module 612, for being encrypted described workspace storage data at the TF of described terminal card according to default AES;

Authentication module 613, in the time data access request being detected, obtains the authentication information of described data access request;

Access control module 614, for when the described authentication information of judgement is by certification, accepts described data access request.

Described encrypting module 612, specifically for: select corresponding AES according to arranging of terminal use, the SDK that calls TF card is encrypted computing to the data of described terminal preservation.

Described access control module 614 is further used for:

Be positioned at application layer and carry out, described device further comprises:

Monitoring modular 621, monitors for the system event to terminal, judges whether described system event meets default workspace rule; Wherein, described system event comprises: call event and short message event;

Executive Module 622 when meet described workspace rule when described system event, is carried out the operation corresponding with described system event in space, workspace, by the data encryption corresponding with described operation and be stored in the database in space, described workspace.

Described Executive Module 622 further comprise call and note Executive Module 623, described call and note Executive Module 623 for:

Described Executive Module 622 further comprises user option module 624 and mail Executive Module 625, described user option module 624 is for providing Mail rule options interface, arrange and can only or use in workspace workspace to apply the Email Accounts receiving by user, and described Email Accounts is stored in the database in space, described workspace;

Described mail Executive Module 625 is for when judging that described system event is that the Email Accounts that receives mail and sender is while being stored in the database in space, workspace, the Email attachment of Mail Contents and download is encrypted, and the annex of the mail of Mail Contents and download is stored in the database in space, described workspace.

Be positioned at operating system layer and carry out, described device further comprises:

Receiver module 631, for receiving the installation request that the application program initiation that list lists is freely installed for application, described application is freely installed list and is obtained from server;

First confirms module 632, for applying when blacklist when confirming to dispose, judges that application program to be installed whether in described application blacklist, if so, forbids the installation of described application program, otherwise, described application program is installed;

Second confirms module 633, for applying when white list when confirming to dispose, judges that application program to be installed whether in described application white list, if so, installs described application program, otherwise, forbid the installation of described application software; Wherein, described application blacklist or application white list are configured by server.

Described device further comprises installation module 634, described installation module 634 specifically for:

Described first confirms module 632, specifically for, while receiving the application blacklist of described server configuration, the title of the application program of listing in blacklist according to application and version number detect whether the application program of listing in described application blacklist is installed in individual district memory headroom, and send described application program for the application program detecting and forbid the warning information of installing;

Described second confirms module 633, specifically for, while receiving the application white list of described server configuration, detect according to the title of the application program of listing in application white list and version number whether unlisted application program in described application white list is installed in individual district memory headroom; And send described application program for the application program detecting and forbid the warning information of installing.

Described installation module 634 specifically also for:

In the installation kit of described application program, add unloading and monitor code, after device unloading corresponding to described data guard method, remove the data of the application program of described workspace internal object in order to described terminal monitoring.

Described installation module 634 specifically also for:

In the installation kit of described application program, add and server communication code, in the time receiving the data dump order being sent by server end, remove the data of corresponding application program in described workspace in order to described terminal.

Described installation module 634 specifically also for:

In the installation kit of described application program, add deciphering and encrypted code, in order to described terminal, the data of workspace read-write are encrypted and are deciphered.

Described installation module 634 specifically also for:

The second receiver module 641, the security policy information based on geographical position corresponding to described mobile terminal issuing for reception server; Wherein, described security strategy comprises: within the scope of the geographic area of specifying, and at least one specific systemic-function in closing a terminal; Within the scope of the geographic area of specifying, forbid the start-up and operation of at least one specific application program in terminal.

Module 642 is checked in geographical position, for periodically checking within the scope of the geographic area of self whether specifying in the described security policy information based on geographical position;

Security strategy Executive Module 643, when checking that when described geographical position module is determined within the scope of the geographic area of specifying in the described security policy information based on geographical position described mobile terminal, carries out described security strategy.

The described security strategy of described execution, specifically comprises:

Be positioned at communication layers and carry out, described device further comprises:

Internet Transmission encrypting module 651, for adopting VPN to set up dedicated network, in the time that the application program of described workspace is carried out access to netwoks, is encrypted the communication data between vpn server and mobile terminal; And/or

Extranet access control module 652, in the time that the application program of described workspace is accessed outer net, detects the URL of described outer net;

A kind of method of 1a, protecting terminal data, is positioned at hardware layer and carries out, and comprises following step:

In terminal, set up the workspace for storing business data;

2a, method as described in 1a, be encrypted storage data according to default AES, specifically comprises:

3a, method as described in 1a, obtain the authentication information of described data access request,

4a, method as described in 1a, when judging that described authentication information, by certification, accepts described data access request, further comprise:

5a, method as described in 1a, when judging that described authentication information, by certification, accepts described data access request, further comprise:

6a, method as described in 1a, be positioned at application layer and carry out, and described method further comprises:

7a, method as described in 6a, is characterized in that, described method specifically comprises:

8a, method as described in 6a, described method specifically comprises:

Mail rule options interface is provided, arranges and can only or use in workspace workspace to apply the Email Accounts receiving by user, and described Email Accounts is stored in the database in space, described workspace;

9a, method as described in 1a, be positioned at operating system layer and carry out, and described method further comprises:

10a, method as described in 9a, describedly install described application program, specifically comprises:

11a, method as described in 9a, described method also comprises:

While receiving the application blacklist of described server configuration, the title of the application program of listing in blacklist according to application and version number detect whether the application program of listing in described application blacklist is installed in individual district memory headroom, and send described application program for the application program detecting and forbid the warning information of installing;

12a, method as described in 10a, described method also comprises:

13a, method as described in 10a, described method also comprises:

14a, method as described in 10a, described method also comprises:

15a, method as described in 10a, described method also comprises:

16a, method as described in 1a, be positioned at application layer and carry out, and described method further comprises:

If, carry out described security strategy.

17a, method as described in 16a, when described security strategy is:

In the region of specifying, while forbidding the start-up and operation of at least one specific application program in terminal, described security strategy comprises:

Geographic region range information, the permission of specifying and do not allow the security class information of the application of start-up and operation;

The described security strategy of described execution, specifically comprises:

18a, method as described in 1a, be positioned at communication layers and carry out, and described method further comprises:

The device of 19b, a kind of protecting terminal data, described device is positioned at hardware layer and comprises following module:

20b, device as described in 19, described encrypting module, specifically for:

21b, device as described in 19b, described authentication information comprises: device identification number and the network state of the TF card mark of described terminal, SIM mark, terminal.

22, the device as described in 19b, described access control module is further used for:

23b, device as described in 19b, described access control module is further used for:

24b, device as described in 19b,, described device is positioned at application layer and further comprises:

25b, device as described in 24b, is characterized in that, described Executive Module further comprises call and note Executive Module, and described call and note Executive Module are used for:

26b, device as described in 24b, it is characterized in that, described Executive Module further comprises user option module and mail Executive Module, described user option module is used for providing Mail rule options interface, arrange and can only or use in workspace workspace to apply the Email Accounts receiving by user, and described Email Accounts is stored in the database in space, described workspace;

27b, device as described in 19b, described device is positioned at operating system layer and further comprises:

28b, device as described in 27b, is characterized in that described device further comprises installation module, described the first installation module specifically for:

29b, device as described in 27b,

Described first confirms module, specifically for, while receiving the application blacklist of described server configuration, the title of the application program of listing in blacklist according to application and version number detect whether the application program of listing in described application blacklist is installed in individual district memory headroom, and send described application program for the application program detecting and forbid the warning information of installing;

Described second confirms module, specifically for, while receiving the application white list of described server configuration, detect according to the title of the application program of listing in application white list and version number whether unlisted application program in described application white list is installed in individual district memory headroom; And send described application program for the application program detecting and forbid the warning information of installing.

30b, device as described in 28b, described installation module specifically also for:

31b, device as described in 28b, described installation module specifically also for:

32b, device as described in 28b, described installation module specifically also for:

33b, device as described in 28b, described installation module specifically also for:

34b, device as described in 19b, described device is positioned at application layer and further comprises:

35b, device as described in 34b, when described security strategy is: in the region of specifying, while forbidding the start-up and operation of at least one specific application program in terminal, described security strategy comprises: geographic region range information, the permission of appointment and do not allow the security class information of the application of start-up and operation;

The described security strategy of described execution, specifically comprises:

36b, device as described in 19b, described device is positioned at communication layers and further comprises:

Extranet access control module, in the time that the application program of described workspace is accessed outer net, detects the URL of described outer net; There is access risk in the URL that judges described outer net, forbids application program access, and described outer net URL is added into Risk list for follow-up judgement.

Censure specific components as used some vocabulary in the middle of description and claim. Those skilled in the art should understand, and hardware manufacturer may be called same assembly with different nouns. This specification and claims are not used as distinguishing the mode of assembly with the difference of title, but the difference in function is used as the criterion of distinguishing with assembly. If " comprising " mentioned in the middle of description and claim is in the whole text an open language, therefore should be construed to " comprise but be not limited to ". " roughly " refer to that in receivable error range, those skilled in the art can solve the technical problem within the scope of certain error, reach described technique effect substantially. In addition, " couple " word and comprise directly any and electric property coupling means indirectly at this. Therefore, be coupled to one second device if describe a first device in literary composition, represent that described first device can directly be electrically coupled to described the second device, or be indirectly electrically coupled to described the second device by other devices or the means that couple. Description subsequent descriptions is to implement the application's preferred embodiments, and right described description is to illustrate that the application's rule is object, not in order to limit the application's scope. The application's protection domain is when being as the criterion depending on the claims person of defining.

Also it should be noted that, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby make to comprise that the commodity of a series of key elements or system not only comprise those key elements, but also comprise other key elements of clearly not listing, or be also included as this commodity or the intrinsic key element of system. The in the situation that of more restrictions not, the key element being limited by statement " comprising ... ", and be not precluded within and comprise in the commodity of described key element or system and also have other identical element.

Above-mentioned explanation illustrates and has described some preferred embodiments of the present invention, but as previously mentioned, be to be understood that the present invention is not limited to disclosed form herein, should not regard the eliminating to other embodiment as, and can be used for various other combinations, amendment and environment, and can, in invention contemplated scope described herein, change by technology or the knowledge of above-mentioned instruction or association area. And the change that those skilled in the art carry out and variation do not depart from the spirit and scope of the present invention, all should be in the protection domain of claims of the present invention.

Claims

1. a method for protecting terminal data, is characterized in that, be positioned at hardware layer carry out, comprise asUnder step:

In terminal, set up the workspace for storing business data;

Described workspace storage data are added at the TF of described terminal card according to default AESClose;

2. the method for claim 1, is characterized in that, is positioned at application layer and carries out, described sideMethod further comprises:

System event to terminal is monitored, and judges whether described system event meets default workspaceRule; Wherein, described system event comprises: call event and short message event;

In the time that described system event meets described workspace rule, in space, workspace, carry out and described systemThe operation that system event is corresponding, by the data encryption corresponding with described operation and be stored in described workspace skyBetween database in.

3. the method for claim 1, is characterized in that, is positioned at operating system layer and carries out, instituteThe method of stating further comprises:

Receive the installation request that the application program initiation of listing in list is freely installed for application, described answeringWith being freely installed, list obtains from server;

In the time confirming to dispose application blacklist, judge that whether application program to be installed is black in described applicationIn list, if so, forbid the installation of described application program, otherwise, described application program is carried outInstall;

In the time confirming to dispose application white list, judge that whether application program to be installed is white in described applicationIn list, if so, described application program is installed, otherwise, forbid described application softwareInstall; Wherein, described application blacklist or application white list are configured by server.

4. the method for claim 1, is characterized in that, is positioned at application layer and carries out, described sideMethod further comprises:

The security policy information based on geographical position corresponding to described mobile terminal that reception server issues; ItsIn, described security strategy comprises: within the scope of the geographic area of specifying, and at least one spy in closing a terminalFixed systemic-function; Within the scope of the geographic area of specifying, forbid that in terminal, at least one is specifically appliedThe start-up and operation of program.

Periodically check the geography whether self specifies in the described security policy information based on geographical positionIn regional extent;

If, carry out described security strategy.

5. the method for claim 1, is characterized in that, is positioned at communication layers and carries out, described sideMethod further comprises:

Adopt VPN to set up dedicated network, in the time that the application program of described workspace is carried out access to netwoks,Communication data between vpn server and mobile terminal is encrypted; And/or

When judging that the URL of described outer net exists access risk, forbid application program access, and by instituteState outer net URL and be added into Risk list for follow-up judgement.

6. a device for protecting terminal data, is characterized in that, described device is positioned at hardware layer and comprisesFollowing module:

Encrypting module, for according to default AES at the TF of described terminal card to described workspaceStorage data are encrypted;

Authentication module, in the time data access request being detected, obtains the body of described data access requestPart authentication information;

Access control module, for when the described authentication information of judgement is by certification, accepts described numberAccording to request of access.

7. device as claimed in claim 6, is characterized in that, described device is positioned at application layer and enters oneStep comprises:

Monitoring modular, monitors for the system event to terminal, judges whether described system event accords withClose default workspace rule; Wherein, described system event comprises: call event and short message event;

Executive Module, when meeting described workspace rule, in space, workspace when described system eventThe operation that interior execution is corresponding with described system event, by the data encryption corresponding with described operation storageIn the database in space, described workspace.

8. device as claimed in claim 6, is characterized in that, described device is positioned at operating system layerFurther comprise:

Receiver module, for receiving the peace that the application program initiation that list lists is freely installed for applicationDress request, described application is freely installed list and is obtained from server;

First confirms module, in the time confirming to dispose application blacklist, judges application journey to be installedWhether order in described application blacklist, if so, forbids the installation of described application program, otherwise,Described application program is installed;

Second confirms module, in the time confirming to dispose application white list, judges application journey to be installedWhether order in described application white list, if so, installs described application program, otherwise,Forbid the installation of described application software; Wherein, described application blacklist or application white list are joined by serverPut.

9. device as claimed in claim 6, is characterized in that, described device is positioned at application layer and enters oneStep comprises:

The second receiver module, the described mobile terminal that issues for reception server corresponding based on geographical positionSecurity policy information; Wherein, described security strategy comprises: within the scope of the geographic area of specifying, closeClose at least one specific systemic-function in terminal; Within the scope of the geographic area of specifying, forbid in terminalThe start-up and operation of at least one specific application program;

Module is checked in geographical position, for periodically checking that whether self is in the described peace based on geographical positionWithin the scope of the geographic area that full policy information is specified;

Security strategy Executive Module, for checking that when described geographical position module determines that described mobile terminal is in instituteWhile stating within the scope of the geographic area of specifying based on the security policy information in geographical position, carry out described safe planSlightly.

10. device as claimed in claim 6, is characterized in that, described device is positioned at communication layers and enters oneStep comprises:

Internet Transmission encrypting module, for adopting VPN to set up dedicated network, when answering of described workspaceWhile carrying out access to netwoks by program, the communication data between vpn server and mobile terminal is encryptedProcess; And/or

Extranet access control module, in the time that the application program of described workspace is accessed outer net, to describedThe URL of outer net detects; There is access risk in the URL that judges described outer net, forbids applying journeyOrder access, and described outer net URL is added into Risk list for follow-up judgement.